Independent Researcher Filippo Cavallarin discovered a GateKeeper Bypass vulnerability in Apple’s MacOS X that will allow threat actors to execute untrusted code without any warning or the user’s permission.
GateKeeper is a mechanism developed by Apple and is included in MacOSX which enforces code signing and verifies downloaded applications before allowing them to run on the system.
Cavallarin said that because Gatekeeper considers both external drives and network shares as safe locations and it allows any application they contain to run and that by combining the design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behavior, according to a May 24 blog post.
The attack can be carried out by creating a zip file with a symlink to an automount endpoint then creating an application (.app folder) with the code you want to run. The attacker would then need to create a publicly accessible NFS share and put the .app in it, upload the zip somewhere online and download it so it gets the quarantine flag used by Gatekeeper, and extract the zip (if needed) and navigate it.
Apple has yet to release a patch for the vulnerability. The company has not responded to SC Media’s request for comment.